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DETAILED ACTION 

1 . This action is issued in response to the Amendment filed on 09/07/2007. 

2. Claims 1, 10, 18, and 23 were amended. No claims were canceled. No claims 
were added. 

3. This action is made Final. 

4. Claims 1 -23 are pending in this application. 

5. Applicant's arguments filed on 09/07/2007 have been fully considered but they 
are not persuasive. 



Claim Rejections - 35 USC §112 

6. The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and process of 
making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the 
art to which it pertains, or with which it is most nearly connected, to make and use the same and shall 
set forth the best mode contemplated by the inventor of carrying out his invention. 

7. Claims 1-23 are rejected under 35 U.S.C. 112, first paragraph, as failing to 
comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to 
one skilled in the relevant art that the inventor(s), at the time the application was filed, 
had possession of the claimed invention. 

The limitation including "previous accessed items" recited in claims 1, 4, 5, 10, 12, 13, 
18, 19, 20, and 23 is not clearly described in the specification. 

Any claim not specifically addressed, above, is being rejected as incorporating 
the deficiencies of a claim upon which it depends. 
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Claim Rejections - 35 USC § 103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

9. Claims 1 , 3 - 10, 12 - 20, and 22 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Win et al. (Win hereinafter) (US Patent No. 6,182,142 B1, issued: 
January 30, 2001) in view of Joshi et al. (Joshi hereinafter) (US Patent Pub App. No. 
2002/0091798 A1, filed: February 26, 2001). 

Regarding Claims 1, and 10, Win discloses an article comprising a machine- 
readable medium storing instructions operable to cause one or more machines to 
perform operations comprising: 

analyzing a plurality of database access statements that were issued for an 
application during the application's use (Col.2, lines 28 - 33, Win 1 ) to determine 
accessed items and types of access for the application (Col.2, lines 31 - 34, Win 2 ) 



1 Wherein examiner interprets the step of controlling access, particularly by receiving access information 
and identifying resources authorized (as disclosed by Win) as the step of analyzing the database access 
statements as claimed. 

2 Wherein the resources correspond to the accessed items claimed; and the roles correspond to the type 
of access claimed. 
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However, Win does not explicitly disclose that such plurality access statements 
were issued during use to determine previous access items and types of access. On the 
other hand, Joshi discloses access statements that were issued for an application 
during use to determine previous accessed items and types of access for the 
application (Fig. 30, Page 17, [0193], lines 1-19, Joshi). 

It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to incorporate the Joshi's teachings to the system of Win. Skilled 
artisan would have been motivated to do so, as suggested by Joshi (Page 1 and 17, 
[0016] and [0193], lines 13-17 and 7-19; respectively, Joshi), to be able to customize 
the resource being accessed for the user accessing the resource by, for example, 
determining whether the authentication scheme associated with the requested resource 
has been previously cached, and further determining the type of challenge method for 
authentication. In addition, both of the references (Win and Joshi) teach features that 
are directed to analogous art and they are directed to the same field of endeavor, such 
as, databases management systems, authorization, and authentication. This close 
relation between both of the references highly suggests an expectation of success. 

Furthermore, the combination of Win in of Joshi discloses: 

developing a role for the application based on the previous accessed items and 
types of access for the application (Col. 2 and 14, lines 35- 47 and 40 - 48; 
respectively; "...data entry form that accepts information defining a role. An 
administrator may complete and submit the data entry form for each role to be 
defined. In response, Registry Server 108 stores information defining a role in the 
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Registry Repository 110. Each role is defined by a role identifier value, a role name, an 
associated functional group value, and a description..." Win; and Fig. 30, Page 7 and 
17, [0108] and [0193], lines 19 - 25 and 14 - 19; respectively; "...The Identity 
Management System policy determines which users can view identity profile attributes 
by defining a role by, defining a rule, identifying persons by name, or listing an 
identified group. In one embodiment, the rule mentioned above is an LDAP rule..." 
Joshi), wherein when the application is in use by a user, the developed role for the 
application allows the user database access (Col. 2, lines 39 - 40 and 47 - 49, Win; 
and Fig. 30, Page 17, [0193], lines 14-19; "...If the challenge scheme was not found in 
step 1122, authentication event handler 512 loads the authentication rule associated 
with the requested resource from Directory Server 36...", Joshi). 

Regarding Claim 3, the combination of Win in view of Joshi discloses a method 
wherein the database access statements comprise Structured Query Language (SQL) 
queries (Col. 7, lines 9-11, Win). 

Regarding Claims 4, and 12, the combination of Win in view of Joshi discloses an 
article wherein the previous accessed items and types of access include objects 
accessed (Col. 2, lines 31 - 33, the resources, Win; Fig. 30, Page 17, [0193], lines 1 - 
19, Joshi) and operations performed on the objects (Col. 2, lines 39 - 40, to use the 
resources, Win). 
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Regarding Claims 5, and 13, the combination of Win in view of Joshi discloses an 
article wherein developing a role comprises determining permissions for the application 
based on the previous accessed items and types of access (Col. 3, lines 34 - 44, Win; 
and Fig. 30, Page 17, [0193], lines 1-19, Joshi). 

Regarding Claims 6, and 14, the combination of Win in view of Joshi discloses an 
article wherein the instructions are further operable to cause one or more machines to 
perform operations comprising determining which of a set of users are authorized to use 
the application (Col. 3, lines 13-14, Win). 

Regarding Claims 7, and 15, the combination of Win in view of Joshi discloses an 
article wherein the instructions are further operable to cause one or more machines to 
perform operations comprising: 

determining whether a user request to establish an application session has been 
detected (Figure 5B, item 516, Col. 10, lines 29 - 34, a login attempt, Win); 

finding the role for the application (Figure 5C, item 520 and 522, Col. 10, lines 57 
- 63, Win); and 

assigning the role to a user (Col. 13, lines 32 - 34, Win). 

Regarding Claims 8, and 16, the combination of Win in view of Joshi discloses an 
article wherein detecting a user request to establish an application session comprises 
determining if a user is authorized to use the application (Col. 13, lines 34 - 36, Win). 
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Regarding Claims 9, and 17, the combination of Win in view of Joshi discloses an 
article wherein the instructions are further operable to cause one or more machines to 
perform operations comprising: 

detecting an end of the application session (Col. 9 and 1 0, lines 45 - 47 and 39 - 
42; respectively, Win); and 

if an end of the application session is detected (Col. 10, lines 39 - 42, Win), 
disabling the assigned role for the user (Col. 10, lines 42 - 45, Win). 

Regarding Claim 18, the combination of Win in view of Joshi discloses a 
database security analyzer comprising: 

a communication interface operable to receive a plurality of database access 
statements that were issued for an application during the application's use (Figure 9, 
item 918, Communication Interface, Col. 27, lines 17-31, Win); 

a memory operable to store the issued database access statements (Figure 9, 
item 906, Main Memory, Col. 26, lines 8-15, Win); and 

a processor (Figure 9, item 904, processor, Col. 26, lines 36 - 42, Win) operable 
to develop a role for the application based on the previously issued database access 
statements for the application (Col. 2 and 14, lines 35- 47 and 40 - 48; respectively; 
"...data entry form that accepts information defining a role. An administrator may 
complete and submit the data entry form for each role to be defined. In response, 
Registry Server 108 stores information defining a role in the Registry Repository 110. 
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Each role is defined by a role identifier value, a role name, an associated functional 
group value, and a description..." Win; and Fig. 30, Page 7 and 17, [0108] and [0193], 
lines 19-25 and 14-19; respectively; "...The Identity Management System policy 
determines which users can view identity profile attributes by defining a role by, 
defining a rule, identifying persons by name, or listing an identified group. In one 
embodiment, the rule mentioned above is an LDAP rule..." Joshi), wherein when the 
application is in use by a user, the developed role for the application allows a user 
database access (Col. 2, lines 39 - 40 and 47 - 49, Win). 

Regarding Claim 1 9, the combination of Win in view of Joshi discloses an 
analyzer wherein developing a role comprises: 

analyzing the database access statements to determine previous accessed items 
and types of access for the application (Col. 2, lines 31 - 34, Win 3 ; and Fig. 30, Page 
17, [0193], lines 1 -19, Joshi); 

determining permissions for the application based on the previous accessed 
items and types of access for the application (Col. 3, lines 34 - 37, Win; and Fig. 30, 
Page 17, [0193], lines 1-19, Joshi); and 

developing a role associated with the application based on the determined 
permissions (Col. 2 and 14, lines 35- 47 and 40 - 48; respectively; "...data entry form 
that accepts information defining a role. An administrator may complete and 
submit the data entry form for each role to be defined. In response, Registry Server 
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108 stores information defining a role in the Registry Repository 110. Each role is 
defined by a role identifier value, a role name, an associated functional group value, and 
a description..." Win; and Fig. 30, Page 7 and 17, [0108] and [0193], lines 19-25 and 
14-19; respectively; "...The Identity Management System policy determines which 
users can view identity profile attributes by defining a role by, defining a rule, 
identifying persons by name, or listing an identified group. In one embodiment, the rule 
mentioned above is an LDAP rule..." Joshi). 

Regarding Claim 20, the combination of Win in view of Joshi discloses an 
analyzer wherein the previous accessed items and types of access include objects 
accessed (Col. 2, lines 31 - 33, the resources, Win; and Fig. 30, Page 17, [0193], lines 
1-19, Joshi) and operations performed on the objects (Col. 2, lines 39 - 40, to use the 
resources, Win). 

Regarding Claim 22, the combination of Win in view of Joshi discloses an 
analyzer wherein the memory comprises instructions (Figure 9, item 906, Col. 26, lines 
8-12, Win), and the processor operates according to the instructions (Figure 9, item 
904, Col. 26, lines 36 - 38, Win). 

10. Claims 2,11,21, and 23 are rejected under 35 U.S.C. 1 03(a) as being 
unpatentable over Win et al. (Win hereinafter) (US Patent No. 6,182,142 B1 , issued: 



3 Wherein the resources correspond to the accessed items claimed; and the roles correspond to the type 
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January 30, 2001), in view of Joshi et al. (Joshi hereinafter) (US Patent Pub App. No. 
2002/0091798 A1, filed: February 26, 2001), and further in view of Paulley et al. 
(Paulley hereinafter) (US Patent No. 6,665,664 B2). 

Regarding Claims 2, and 11, the combination of Win in view of Joshi discloses a 
article, wherein analyzing the issued database access statements comprises: 

determining whether the plurality of database access statements have been 
captured (Figure 5B, item 516, Col. 10, lines 29 - 34, Win 4 ); 

The combination of Win in view of Joshi also discloses: normalizing the database 
access statements (Col. 14, lines 15-17, Win) and eliminating redundancies in the 
database access statements (Col. 14, lines 15-19, Win). 

However, the combination of Win in view of Joshi does not explicitly disclose: 
normalizing the captured database access statements; and eliminating redundancies in 
the normalized database access statements. On the other hand, Paulley discloses: 
normalizing the captured database access statements (Fig. 4A, item 401, 402, Col. 13, 
lines 34 - 44, Paulley); and eliminating redundancies in the normalized database 
access statements (Fig. 4A, item 403, 404, 405, Col. 14, lines 45 - 49, Paulley). It 
would have been obvious to one of ordinary skill in the art at the time the invention was 
made to incorporate the Paulley's teachings to the system of the combination of Win in 
view of Joshi. Skilled artisan would have been motivated to do so, as suggested by 

of access claimed. 

4 Wherein the step of recording a login attempt corresponds to the step of determining whether the 
database access statements have been captured as claimed. Specifically, the user's name and password 
correspond to the access statements claimed. 
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Paulley (Col. 8, lines 20 - 25, Paulley), to provide better optimization of the original SQL 
query without the system overhead that would result from full normalization. In addition, 
the applied references (Win, Joshi, and Paulley) teach features that are directed to 
analogous art and they are directed to the same field of endeavor, such as, databases 
management systems, normalization, and elimination of redundancies. This close 
relation between the applied references highly suggests an expectation of success. 

Regarding Claim 21 , the combination of Win in view of Joshi and further in view 
of Paulley discloses an analyzer wherein developing a role comprises: 

determining whether the received database access statements have been 
captured (Figure 5B, item 516, Col. 10, lines 29 - 34, Win 5 ); 

normalizing the captured database access statements (Col. 1 4, lines 15-17, 
Win; and Fig. 4A, item 401 , 402, Col. 13, lines 34 - 44, Paulley); and 

eliminating redundancies in the normalized database access statements (Col. 14, 
lines 15-19, Win; and Fig. 4A, item 403, 404, 405, Col. 14, lines 45 - 49, Paulley). 

Regarding Claims 23, the combination of Win in view of Joshi and further in view 
of Paulley. discloses a method comprising: 

capturing a plurality of database access statements that were issued for one or 
more applications during the application's use (Figure 5B, item 516, Col. 10, lines 29 - 



5 Wherein the step of recording a login attempt corresponds to the step of determining whether the 
database access statements have been captured as claimed. Specifically, the user's name and password 
correspond to the access statements claimed. 
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34, Win), wherein the database access statements comprise Structured Query 
Language (SQL) queries (Col. 7, lines 9 - 11, Win); 

normalizing the captured database access statements (Col. 14, lines 15-17, 
Win; and Col. 14, lines 15-17, Win; and Fig. 4A, item 401, 402, Col. 13, lines 34-44, 
Paulley); 

eliminating redundancies in the normalized database access statements (Col. 14, 
lines 15-19, Win; and Fig. 4A, item 403, 404, 405, Col. 14, lines 45 - 49, Paulley); 

analyzing the normalized database access statements to determine previous 
accessed items and types of access for an application (Col. 2, lines 31 - 34, Win 6 ; and 
Fig. 30, Page 17, [0193], lines 1-19, Joshi), wherein the previous accessed items and 
types of access include objects accessed (Col. 2, lines 31 - 33, the resources, Win; and 
Fig. 30, Page 17, [0193], lines 1-19, Joshi) and operations performed on the objects 
(Col. 2, lines 39 - 40, to use the resources, Win); 

determining permissions for the application based on previous the accessed 
items and types of access for the application (Col. 3, lines 34 - 37, Win; and Fig. 30, 
Page 17, [0193], lines 1-19, Joshi); 

developing a role for the application based on the previous determined 
permissions (Col. 2 and 14, lines 35- 47 and 40 - 48; respectively; "...data entry form 
that accepts information defining a role. An administrator may complete and 
submit the data entry form for each role to be defined. In response, Registry Server 
108 stores information defining a role in the Registry Repository 110. Each role is 
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defined by a role identifier value, a role name, an associated functional group value, and 
a description..." Win; and Fig. 30, Page 7 and 17, [0108] and [0193], lines 19 - 25 and 
14-19; respectively; "...The Identity Management System policy determines which 
users can view identity profile attributes by defining a role by, defining a rule, 
identifying persons by name, or listing an identified group. In one embodiment, the rule 
mentioned above is an LDAP rule..." Joshi); 

determining which of a set of users are authorized to use the application (Col. 3, 
lines 13-14, Win); 

detecting a user request to establish a session of the application (Figure 5B, item 
516, Col. 10, lines 29 - 34, a login attempt, Win); 

determining if the user is authorized to use the application (Col. 1 3, lines 34 - 36, 

Win); 

if the user is authorized to use the application, finding the role for the application 
(Figure 5C, item 520 and 522, Col. 10, lines 57 - 63, Win); 

assigning the role to the user (Col. 1 3, lines 32 - 34, Win); 

detecting an end of the application session (Col. 9 and 10, lines 45 - 47 and 39 - 
42; respectively, Win); and 

if an end of the application session is detected (Col. 10, lines 39 - 42, Win), 
disabling the assigned role for the user (Col. 10, lines 42 - 45, Win). 



Wherein the resources correspond to the accessed items claimed; and the roles correspond to the type 
of access claimed. 
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Response to Arguments 

1 . With respect to the 35 U.S.C. 112, first paragraph rejection regarding the 
limitation including "previous accessed items", applicant states that the specification of 
the disclosure supports such limitation in page 4, lines 4-12, page 6, lines 4-20, and 
page 8, lines 12-27. However, Examiner has only found support of the limitation 
including "accessed items". Therefore, the 35 U.S.C. 1 12, first paragraph rejection is 
maintained. 

2. In response to applicant's arguments against the references individually, one 
cannot show nonobviousness by attacking references individually where the rejections 
are based on combinations of references. See In re Keller, 642 F.2d 413, 208 
USPQ 871 (CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 
1986). 

3. Applicant argues that the applied art fails to disclose; "developing a role for an 
application based on previous accessed items and types of access for an application". 

Examiner respectfully disagrees. The combination of Win in view of Joshi does 
disclose the limitation of: developing a role for an application based on previous 
accessed items and types of access for an application (Col. 2 and 14, lines 35- 47 and 
40 - 48; respectively; "...data entry form that accepts information defining a role. 
An administrator may complete and submit the data entry form for each role to be 
defined. In response, Registry Server 108 stores information defining a role in the 
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Registry Repository 110. Each role is defined by a role identifier value, a role name, an 
associated functional group value, and a description..."; wherein Examiner interprets 
the step of defining a role as the step of developing a role claimed; and wherein the 
information that is accepted in the data entry form corresponds to the accessed items 
and types of access for the application as claimed; Win; and Fig. 30, Page 7 and 17, 
[0108] and [0193], lines 19 - 25 and 14 - 19; respectively; "...The Identity Management 
System policy determines which users can view identity profile attributes by defining a 
role by, defining a rule, identifying persons by name, or listing an identified group. In 
one embodiment, the rule mentioned above is an LDAP rule..."; Joshi). 

4. Applicant's arguments (such as, "The Win and the Joshi reference fail to teach at 
least this feature of the claim..."; and "Win and Joshi do not teach capturing, 
normalizing, and or eliminating redundancies in database statements... Paulley also fails 
to teach eliminating redundancies in database access statement...") fail to comply with 
37 CFR 1 .1 1 1(b) because they amount to a general allegation that the claims define a 
patentable invention without specifically pointing out how the language of the claims 
patentably distinguishes them from the references. 
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Conclusion 

1 . The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

2. THIS ACTION IS MADE FINAL Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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1. Win et al. (US Patent No. 6,182,142 B1, issued: January 30, 2001 ) disclose a 
distributed access management of information resources. 

2. Menninger (US Patent App. Pub. No. 2003/006981 8 A1 ) discloses a system, 
method, and computer program product for creating contracts using a graphical user 
interface in a supply chain management framework. 

3. Gold et al. (US Patent App. Pub. No. 2005/0102358 A1 ) discloses a web page 
monitoring and collaboration system. 

4. Joshi et al. (US Patent Pub App. No. 2002/0091 798 A1 , filed: February 26, 
2001). 

5. Paulley et al. (US Patent No. 6,665,664 B2). 
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Points Of Contact 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Giovanna Colan whose telephone number is (571 ) 272- 
2752. The examiner can normally be reached on 8:30 am - 5:00 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, John Breene can be reached on (571) 272-4107. The fax phone number for 
the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 

Giovanna Colan 
Examiner 
Art Unit 21 62 
November 15, 2007 




